How secure a JAX-WS web service on Weblogic

The Following will provide you step – by – step instructions to create a secured JAX-WS web service that can be accessed by providing user name and password:

I will be using Weblogic Server 10.3 to deploy and test the web service.

The web service will use the annotation @Policies and @Policy that are weblogic specific annotations.

Weblogic has enabled us to secure our web services by using the security policy file(It is an XML file that provides details about which kind of security has been enabled on the web service).

So the first step is to create a security.xml file, since we will be securing our web service only for username and password so I will be using the following usernametoken.xml file:

————————————-usernametoken.xml—————————————————————————————-

<?xml version=”1.0″?>

<wsp:Policy

xmlns:wsp=”http://schemas.xmlsoap.org/ws/2004/09/policy”

xmlns:sp=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512″ >

<sp:SupportingTokens>

<wsp:Policy>

<sp:UsernameToken

sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient”>

<wsp:Policy>

<sp:WssUsernameToken10/>

</wsp:Policy>

</sp:UsernameToken>

</wsp:Policy>

</sp:SupportingTokens>

</wsp:Policy>

————————————————————————————————————————————

Now following is the directory structure used in this example:

———————————————

So, You have to place the above usernametoken.xml file in the policy dir within the base: Secure-JAX-WS-Example dir.

Now place the below mentioned Hello.java file in the src directory:

—————————————-Hello.java ——————————————————–

//Web service Secured by username/password

//this web service uses a security policy file “username_policy.xml”

package demo;

import javax.jws.WebService;

import weblogic.jws.Policies;

import weblogic.jws.Policy;

@WebService

@Policies({ @Policy( uri = “../policy/usernametoken.xml) } )

public class Hello{

public String sayHello(String name){

return “Hello : ” +name;

}

}

————————————————————————————————-

You can notice in the above java file the annotation @Policies is used to insert the security policy file to this web service.

And the @Policy file is used to provide the relative URI of the exact xml file with respect to the location of this Java file.

Now we have to build this policy file using the weblogic web service ant tasks. I am providing the snippet of the build.xml file

that can be used to build this web service and deploy it on to the weblogic server:

—————–BUILD.XML file—————————————————————————————————

<project name=”WebService_username_token” default=”all” basedir=”.”>

<!–Setting the Property Values–>
<property name=”ws.file” value=”Hello” />
<property name=”ws.file.dir” value=”${basedir}/src” />
<property name=”ear.dir” value=”${basedir}/Ear” />
<property name=”client.dir” value=”${basedir}/Clientdir” />

<property name=”wls.username” value=”weblogic” />
<property name=”wls.password” value=”weblogic” />
<property name=”wls.hostname” value=”localhost” />
<property name=”wls.port” value=”7001″ />
<property name=”wls.server.name” value=”AdminServer” />

<!–setting the classpath for the web service generation –>
<path id=”service.class.path”>
<pathelement path=”${java.class.path}”/>
</path>

<!– setting classpath for excecuting the client class –>
<path id=”client.class.path”>
<pathelement path=”${client.dir}”/>
<pathelement path=”${java.class.path}”/>
</path>

<taskdef name=”jwsc” classname=”weblogic.wsee.tools.anttasks.JwscTask” />

<target name=”all” depends=”clean,server,deploy” />

<target name=”build” depends=”clean,server” />

<target name=”clean”>
<delete dir=”${ear.dir}”/>
<delete dir=”${client.dir}”/>
</target>

<!– building the service –>
<target name=”server”>
<mkdir dir=”${ear.dir}”/>
<jwsc
srcdir=”${ws.file.dir}”
destdir=”${ear.dir}”
classpath=”${java.class.path}”
fork=”true”
keepGenerated=”true”
deprecation=”true”
debug=”true”
verbose=”false”>
<jws file=”${ws.file}.java” explode=”true” type=”JAXWS”/>
</jwsc>
</target>

<target name=”deploy”>
<wldeploy
action=”deploy”
verbose=”true”
failonerror=”true”
name=”UsernameTokenEar”
source=”${ear.dir}”
user=”${wls.username}”
password=”${wls.password}”
adminurl=”t3://${wls.hostname}:${wls.port}”
targets=”${wls.server.name}” />
</target>

<!– building the standalone client –>
<target name=”build-client”>
<clientgen
type=”JAXWS”
wsdl=”http://${wls.hostname}:${wls.port}/${ws.file}/${ws.file}Service?WSDL”
destDir=”${client.dir}”
packageName=””
/>
</target>

<!–compiling the standalone client–>
<target name=”client-comp”>
<javac
srcdir=”${client.dir}” destdir=”${client.dir}”
classpath=”${java.class.path};${client.dir}”
includes=”MyClient.java”/>

</target>

<!– excecuting the compiled client class –>
<target name=”run”>
<java
fork=”true”
classname=”MyClient”
failonerror=”true” >
<classpath refid=”client.class.path”/>
<arg line=”
http://${wls.hostname}:${wls.port}/${ws.file}/${ws.file}Service?WSDL” />
</java>
</target>

</project>

——————————————————————————————————————————-

In order to execute the above example follow the following steps:

1: Create a dir : Secure-JAX-WS-Example directory:

2: With in this Directory create the following directories:

a) src—-place the Hello.java in this src directory.

b) policy– place the usernametoken.xml file in this policy directory.

and the build.xml should be placed directly under the Secure-JAX-WS-Example directory.

3:Make sure that the weblogic server is running and according to the values of weblogic username/password/localhost/port/  etc adjust the values in the build.xml file.

4:Now open a command prompt and run the setDomainEnv.cmd file to set the environment required for executing the ant task defined by weblogic and used in the build.xml file.

5: After running the setDomainEnv.cmd on the same command prompt move to your working dir i.e. Secure-JAX-WS-Example directory:

execute the following ant task one by one :

ant build-service(Press Enter)

If the result is successful the execute the next task:

ant deploy

Now you can login to the Admin Console of the weblogic server and go the Deployments tab:

Within Deployment summary we can the web service has been deployed :(See the below Snap Shot)

Now Click on the above UsernameTokenEar :

Then click on the Testing tab present on the top of the Weblogic Admin Console.

Then Expand the HelloService so that you can see the below page:

Now Click on the Test Client that is shown in front of /Hello/HelloService.

You will see another window showing some page like below:

Weblogic Web Service Test Client window

Now type some string in the give space and click on the sayHello button available:

You will see the following response:

As you can clearly see the error message that the there is some invalid Security Fault.

This is because the web service is now expecting the username and password along with the SOAP request and since Weblogic Client does not has any way to pass the username/password token this web service is not invoked successfully.

So, following these steps you can make your JAX-WS web service secure.

Now In order to invoke this web service you will have to write some clients that can pass username and password with the request and can successfully invoke the service.

Please follow and like us:

14 Comments

    • weblogictips July 22, 2014
  1. raaja April 20, 2012
    • weblogictips April 20, 2012
  2. weblogictips March 1, 2012
  3. Dileep March 1, 2012
  4. embee December 5, 2011
  5. Rajesh May 6, 2011
  6. Sanjeev December 21, 2010
  7. weblogictips November 24, 2010
  8. Nithin November 23, 2010
  9. weblogictips October 12, 2010
  10. Eclogue Chang October 12, 2010

Please add your comments here